Coding Horrors: You can gather all your technical debt into one easy framework!

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cavern of COBOL > Coding Horrors: You can gather all your technical debt into one easy framework!

«‹›1503 »

1337JiveTurkey: Feb 17, 2005

If I could get away with it, I'd like to try something which looks like it's that insecure but really just uses URL rewriting to drive a conventional locked down back end, then watch the server logs for whatever poo poo people fling at it.

# ? Oct 16, 2013 12:37

Adbot: ADBOT LOVES YOU

# ? May 27, 2024 11:16

stuxracer: May 4, 2006

It really is interesting to see that kind of stuff people try - well for a while then it gets boring. We have a feedback form that is constantly a target with crap like this

code:

;/bin/uname --help
;/etc/hosts
;/etc/passwd
;/usr/bin/id
;/usr/bin/uname --help
) OR 1=(0
) OR 1 in (2
) AND 1 in (1
(select name from master..syslogins)
(select user_name())

stuxracer fucked around with this message at 15:33 on Oct 16, 2013

# ? Oct 16, 2013 15:29

SupSuper: Apr 8, 2009; At the Heart of the city is an Alien horror, so vile and so powerful that not even death can claim it.

substitute posted:

Just encountered this in the URL bar on a partner's website:

<url w/ query string>... &_statement=SELECT%20*%20FROM%20fabrics%20where%20type%20like%20'%<our product's name>%'%20AND%20photo%20like%20'%jpg%'%20and%20dropped%20=0%20and%20active=1%20order%20by%20name

Reminds me when I found a public website where all the URLs had this format:

ftp://username:password@server/absolute/path/to/page.html

As an extra perk the server kept collapsing every few minutes under "too many connections". :v:

# ? Oct 16, 2013 15:52

Dren: Jan 5, 2001; Pillbug

Beamed posted:

If I recall someone actually took advantage of it to hack it, and claimed that it was to warn the devs or something.

Some people advocated for exploiting it because that was the only way they could see to prove to the meatboy devs who just wouldn't listen that it was really a problem. Those people were compared to victim-blaming rapists, which was hyperbolic and inflammatory though not entirely inaccurate.

# ? Oct 16, 2013 16:09

evensevenone: May 12, 2001; Glass is a solid.

stuxracer posted:

It really is interesting to see that kind of stuff people try - well for a while then it gets boring. We have a feedback form that is constantly a target with crap like this
code:
;/bin/uname --help
;/etc/hosts
;/etc/passwd
;/usr/bin/id
;/usr/bin/uname --help
) OR 1=(0
) OR 1 in (2
) AND 1 in (1
(select name from master..syslogins)
(select user_name())

That kind of stuff is probably just webcrawling bots that just hit every form they see with a bunch of attacks. Why target one site with an obscure vulnerability when you can target millions and assume some small percentage have obvious vulnerabilities?

# ? Oct 16, 2013 17:33

Beamed: Nov 26, 2010; Then you have a responsibility that no man has ever faced. You have your fear which could become reality, and you have Godzilla, which is reality.

Dessert Rose posted:

You could also read the actual story in this very thread. There's even a convenient link literally two posts before yours!

I read the whole thread and read about it already, but there was more drama than that involved.

# ? Oct 16, 2013 18:10

stuxracer: May 4, 2006

evensevenone posted:

That kind of stuff is probably just webcrawling bots that just hit every form they see with a bunch of attacks. Why target one site with an obscure vulnerability when you can target millions and assume some small percentage have obvious vulnerabilities?

I realize I said person, but don't mean an actual human typing it out in the form. It clearly was a bot because of the frequency of the requests.

# ? Oct 16, 2013 18:57

HORATIO HORNBLOWER: Sep 21, 2002; no ambition,
no talent,
no chance

I don't even know what to say about this. I thought I was used to seeing terrible code in our rotten, diseased codebase but there's just constantly new and wonderful surprises in there.

Java code:

private Hashtable<String, String> things;

public void setThing(String name, String value)
{
    Iterator<Entry<String, String>> it = things.entrySet().iterator();
    Entry<String, String> currentEntry = null;
    while(it != null && it.hasNext()) {
        currentEntry = it.next();
        if(currentEntry.getKey().equals(name)) {
            currentEntry.setValue(value);
            return;
        }
    }
    things.put(name, value);
}

# ? Oct 16, 2013 19:43

Janitor Prime: Jan 22, 2004; PC LOAD LETTER

What da fuck does that mean; Fun Shoe

I would fire that person so hard, god drat that's such a flawed understanding of basic data structures ugh

# ? Oct 16, 2013 19:48

nuvan: Mar 29, 2008; And the gentle call of the feral 3am "Everything is going so well you can't help but panic."

HORATIO HORNBLOWER posted:

I don't even know what to say about this. I thought I was used to seeing terrible code in our rotten, diseased codebase but there's just constantly new and wonderful surprises in there.
Java code:
private Hashtable<String, String> things;

public void setThing(String name, String value)
{
    Iterator<Entry<String, String>> it = things.entrySet().iterator();
    Entry<String, String> currentEntry = null;
    while(it != null && it.hasNext()) {
        currentEntry = it.next();
        if(currentEntry.getKey().equals(name)) {
            currentEntry.setValue(value);
            return;
        }
    }
    things.put(name, value);
}

Is there any actual reason for this other than to degrade average case performance from O(1) to O(n)? Because I can't see any other reason.

# ? Oct 16, 2013 19:50

baquerd: Jul 2, 2007; by FactsAreUseless

nuvan posted:

Is there any actual reason for this other than to degrade average case performance from O(1) to O(n)? Because I can't see any other reason.

Paid per line of code, and paid to improve performance metrics over baseline. Get paid once making it slow, get paid twice making it fast.

# ? Oct 16, 2013 19:59

Dr Monkeysee: Oct 11, 2002; just a fox like a hundred thousand others; Nap Ghost

evensevenone posted:

That kind of stuff is probably just webcrawling bots that just hit every form they see with a bunch of attacks. Why target one site with an obscure vulnerability when you can target millions and assume some small percentage have obvious vulnerabilities?

At work we have a bot that attacks one of our sites by requesting a query page with an empty query. Every 5 minutes. All an empty query does is we give you an error page saying "whoops you didn't give us a query". It only involves the top-level of our stack since the request immediately fails basic input validation. It's too slow to even be a simple DOS. It has been doing this for years. It is able to cycle user agent and ip address when we block it (it's not high volume enough for us to really care about seriously smacking it down). It's sophisticated enough to elude simple blocking schemes but not sophisticated enough to do anything but request the same error page over and over and over. It's like a really dumb pet at this point.

There's thousands of bots out there that do similarly nonsensical things. I'd like to think the sum total of this traffic is the first tentative wisps of the Internet going sentient.

# ? Oct 16, 2013 20:21

substitute: Aug 30, 2003; you for my mum

substitute posted:

Just encountered this in the URL bar on a partner's website:

<url w/ query string>... &_statement=SELECT%20*%20FROM%20fabrics%20where%20type%20like%20'%<our product's name>%'%20AND%20photo%20like%20'%jpg%'%20and%20dropped%20=0%20and%20active=1%20order%20by%20name

Update: :stare:

It goes so much deeper...

I can't even...

:stonk:

# ? Oct 16, 2013 20:26

Suspicious Dish: Sep 24, 2011; 2020 is the year of linux on the desktop, bro; Fun Shoe

Come on, spit it out.

# ? Oct 16, 2013 21:16

substitute: Aug 30, 2003; you for my mum

Suspicious Dish posted:

Come on, spit it out.

GET method forms that accept basically anything and make them hidden fields. Or hell, close the tag and inject/display whatever you want on the page.

POST method forms with hidden fields and the values are full SQL statements.

# ? Oct 16, 2013 21:33

nielsm: Jun 1, 2009

substitute posted:

GET method forms that accept basically anything and make them hidden fields. Or hell, close the tag and inject/display whatever you want on the page.

POST method forms with hidden fields and the values are full SQL statements.

In short, an abridged history of every web vulnerability ever.

# ? Oct 16, 2013 21:38

Volmarias: Dec 31, 2002; EMAIL... THE INTERNET... SEARCH ENGINES...

HORATIO HORNBLOWER posted:

I don't even know what to say about this. I thought I was used to seeing terrible code in our rotten, diseased codebase but there's just constantly new and wonderful surprises in there.
Java code:
private Hashtable<String, String> things;

public void setThing(String name, String value)
{
    Iterator<Entry<String, String>> it = things.entrySet().iterator();
    Entry<String, String> currentEntry = null;
    while(it != null && it.hasNext()) {
        currentEntry = it.next();
        if(currentEntry.getKey().equals(name)) {
            currentEntry.setValue(value);
            return;
        }
    }
    things.put(name, value);
}

Well, you made my eyes bulge which is an achievement I suppose :stare:

# ? Oct 16, 2013 22:01

xtal: Jan 9, 2011; by Fluffdaddy

1337JiveTurkey posted:

If I could get away with it, I'd like to try something which looks like it's that insecure but really just uses URL rewriting to drive a conventional locked down back end, then watch the server logs for whatever poo poo people fling at it.

Our app's error logs are 99% people trying to exploit query strings (for pages, etc.) with SQL injections and string format attacks. Some of them are pretty clever, but we just cast the entire string to an integer so.

# ? Oct 16, 2013 22:03

HORATIO HORNBLOWER: Sep 21, 2002; no ambition,
no talent,
no chance

Hard NOP Life posted:

I would fire that person so hard, god drat that's such a flawed understanding of basic data structures ugh

The person who wrote this code left our company about a year ago. He got a better offer somewhere else. This is actually some of the more lucid code he was responsible for, in that it is desperately wrong-headed but you can actually almost comprehend what it's trying to do.

# ? Oct 16, 2013 22:47

Salynne: Oct 25, 2007

HORATIO HORNBLOWER posted:

The person who wrote this code left our company about a year ago. He got a better offer somewhere else. This is actually some of the more lucid code he was responsible for, in that it is desperately wrong-headed but you can actually almost comprehend what it's trying to do.

Whenever I feel like I'm not a good enough programmer I read things like this and remember the truth.

# ? Oct 17, 2013 00:42

Volmarias: Dec 31, 2002; EMAIL... THE INTERNET... SEARCH ENGINES...

General Olloth posted:

Whenever I feel like I'm not a good enough programmer I read things like this and remember the truth.

That misery loves ~~blood sacrifices of developers~~ company, you mean?

# ? Oct 17, 2013 03:11

shodanjr_gr: Nov 20, 2007

HORATIO HORNBLOWER posted:

I don't even know what to say about this. I thought I was used to seeing terrible code in our rotten, diseased codebase but there's just constantly new and wonderful surprises in there.
Java code:
private Hashtable<String, String> things;

public void setThing(String name, String value)
{
    Iterator<Entry<String, String>> it = things.entrySet().iterator();
    Entry<String, String> currentEntry = null;
    while(it != null && it.hasNext()) {
        currentEntry = it.next();
        if(currentEntry.getKey().equals(name)) {
            currentEntry.setValue(value);
            return;
        }
    }
    things.put(name, value);
}

I've been in CS for the past 9 years, including jobs in industry and this looks so bonkers to me that it makes me feel like I am missing something...

He is basically replacing map[key]=Val with an iteration, then ends up calling the proper setter anyway, right? Why?

# ? Oct 17, 2013 04:13

Sinestro: Oct 31, 2010; The perfect day needs the perfect set of wheels.

Job security.

# ? Oct 17, 2013 04:17

Suspicious Dish: Sep 24, 2011; 2020 is the year of linux on the desktop, bro; Fun Shoe

shodanjr_gr posted:

He is basically replacing map[key]=Val with an iteration, then ends up calling the proper setter anyway, right? Why?

I think he thinks put only works if the key isn't already in the dictionary.

# ? Oct 17, 2013 04:19

Bobbin Threadbear: May 6, 2007

shodanjr_gr posted:

I've been in CS for the past 9 years, including jobs in industry and this looks so bonkers to me that it makes me feel like I am missing something...

He is basically replacing map[key]=Val with an iteration, then ends up calling the proper setter anyway, right? Why?

if map[key] exists, set it to val and return. If it doesn't, create it with the value.

# ? Oct 17, 2013 06:04

shodanjr_gr: Nov 20, 2007

Bobbin Threadbear posted:

if map[key] exists, set it to val and return. If it doesn't, create it with the value.

Ok, so it's basically as retarded as it looks.

# ? Oct 17, 2013 06:12

Amarkov: Jun 21, 2010

But... like... how would you know to use a hashtable, without also knowing why you should not iterate through it?

# ? Oct 17, 2013 07:34

LOOK I AM A TURTLE: May 22, 2003; "I'm actually a tortoise."; Grimey Drawer

Maybe at first he used a list, then someone told him he should use a hashtable instead, and, well...

# ? Oct 17, 2013 07:56

Incrediblastic: Oct 29, 2010; I eat food.

This is what I wrote trying to be as generic as possible.Deleted the comments because they were in my native language.
Observe.

code:

def nary_logic_gen(TLst):

    nary_and_gen=lambda TLst:lambda x,y:TLst[min([TLst.index(x),TLst.index(y)])]#((TLst.index(x)<TLst.index(y)) and x) or y


    nary_or_gen=lambda TLst:lambda x,y:((TLst.index(x)<TLst.index(y)) and y) or x


    nary_not_gen=lambda TLst:lambda x:TLst[TLst.index(x)-1]



    nary_bicond_gen=lambda TLst:lambda x,y:(x==y and x) or TLst[TLst.index(x)-1]
    return [nary_and_gen(TLst),nary_or_gen(TLst),nary_not_gen(TLst)]


single_generic_rule_gen=lambda t,notop,andop,orop:lambda l,i,ne:(reduce(lambda c1,c2:c1 and c2,map(lambda x:t[x[0]]==l[(x[1]+i)%len(l)],zip(range(len(t)),ne))) and orop(l[i],notop(l[i]))) or andop(l[i],notop(l[i]))#notop(l[i])


generic_rule_gen=lambda rule_templs,not_op,andop,orop:map(lambda x:single_generic_rule_gen(x,not_op,andop,orop),rule_templs)


ca_rule_gen=lambda rules,or_op:lambda l,i,ne:reduce(lambda c1,c2:or_op(c1,c2),map(lambda x:x(l,i,ne),rules))


def ca_gen(TLst,templates,start,gens,ne=[-1,0,1]):
    ourand,ouror,ournot=nary_logic_gen(TLst)
    rule=generic_rule_gen(templates,ournot,ourand,ouror)
    rule=ca_rule_gen(rule,ouror)
    next_gen=start
    for i in xrange(gens):
        print next_gen
        t=''
        for y in xrange(len(next_gen)):
                        t+=rule(next_gen,y,ne)
        next_gen=t


def make_rand_start(TLst,n):
	s=''
	for i in xrange(n):
		s+=choice(TLst)
	return s


def make_rand_rule(TLst,n,ne_len):
	rs=[]
	while(len(rs)!=n):
		r=''
		for y in range(ne_len):
			r+=choice(TLst)
		if r not in rs:
			rs.append(r)

	return rs
    

def wrap_start(TLst,middle,start_length):
	start_length-=len(middle)
	left=TLst[0]*(start_length/2)
	right=TLst[0]*(start_length/2-1)
	return left+middle+right



rand_everything=lambda TLst,rule_num,ne,n:ca_gen(TLst,make_rand_rule(TLst,rule_num,len(ne)),make_rand_start(TLst,157),n,ne)
rand_everything2=lambda TLst,rule_num,ne,n:ca_gen(TLst,make_rand_rule(TLst,rule_num,len(ne)),wrap_start(TLst,TLst[len(TLst)-1],157),n,ne)
rule110=['  #',' # ',' ##','# #','## ']

I can't read this now btw.

EDIT: This is supposed to be a 1D cellular automata simulator or w/e that's called.

Incrediblastic fucked around with this message at 09:05 on Oct 17, 2013

# ? Oct 17, 2013 08:54

tef: May 30, 2004; -> some l-system crap ->

HORATIO HORNBLOWER posted:

I don't even know what to say about this. I thought I was used to seeing terrible code in our rotten, diseased codebase but there's just constantly new and wonderful surprises in there.
Java code:
private Hashtable<String, String> things;

public void setThing(String name, String value)
{
    Iterator<Entry<String, String>> it = things.entrySet().iterator();
    Entry<String, String> currentEntry = null;
    while(it != null && it.hasNext()) {
        currentEntry = it.next();
        if(currentEntry.getKey().equals(name)) {
            currentEntry.setValue(value);
            return;
        }
    }
    things.put(name, value);
}

Have seen a similar thing, except it was more like this:

code:

def set(hash, key, value):
    new_key = key+"_"+value
    hash[new_key]=value

def get(hash, key):
    for k in hash.keys():
         if k.startswith(key+"_"):
            return hash[k]

a prefix search over hash keys.

# ? Oct 17, 2013 14:58

substitute: Aug 30, 2003; you for my mum

substitute posted:

Update:

It goes so much deeper...

I can't even...

Official (summarized) response from developer:

You can wildly query the database and insert code in the page/display, but the site can't be hacked with any of this stuff. Thanks.

# ? Oct 17, 2013 15:15

New Yorp New Yorp: Jul 18, 2003; Only in Kenya.; Pillbug

substitute posted:

Official (summarized) response from developer:

You can wildly query the database and insert code in the page/display, but the site can't be hacked with any of this stuff. Thanks.

I bet you could execute a SELECT statement that brings the DB server to its knees.

# ? Oct 17, 2013 15:19

IMlemon: Dec 29, 2008

At the very end of 3KLOC utility class:

Java code:

public static void main(String[] args) {
    BigDecimal tets = new BigDecimal("100000.2");
    System.out.println("Test successful!");
}

# ? Oct 17, 2013 15:34

ikanreed: Sep 25, 2009; I honestly I have no idea who cannibal[SIC] is and I do not know why I should know.

syq dude, just syq!

IMlemon posted:

At the very end of 3KLOC utility class:

Java code:

public static void main(String[] args) {
    BigDecimal tets = new BigDecimal("100000.2");
    System.out.println("Test successful!");
}

Jeez its like you want test cases to fail, you monster.

# ? Oct 17, 2013 15:59

Cocoa Crispies: Jul 20, 2001; Vehicular Manslaughter!; Pillbug

ikanreed posted:

Jeez its like you want test cases to fail, you monster.

"tets" cases.

# ? Oct 17, 2013 16:07

Zhentar: Sep 28, 2003; Brilliant Master Genius

Suspicious Dish posted:

I think he thinks put only works if the key isn't already in the dictionary.

And there's a fair chance that he convinced himself of this while struggling to fix some bug in his code, and now bitches about how stupid it is that Java makes you do that.

# ? Oct 17, 2013 16:11

Posting Principle: Dec 10, 2011; by Ralp

"Java is so verbose, I could have done this in one line in Python"

# ? Oct 17, 2013 16:22

Drape Culture: Feb 9, 2010; But it was all right, everything was all right, the struggle was finished. He had won the victory over himself. He loved Big Brother.

The End.

Java code:

public class Utility {
    ...
    public static void closeConnection(final Connection conn) throws SQLException {
        conn.close();
    }
    ...
}

# ? Oct 17, 2013 16:36

Mogomra: Nov 5, 2005; simply having a wonderful time

If you don't see the utility in that, I don't know what's wrong with you.

# ? Oct 17, 2013 16:40

Adbot: ADBOT LOVES YOU

# ? May 27, 2024 11:16

IMlemon: Dec 29, 2008

One of the core abstractions in the system i'm working on right now.

Java code:

/**
 * This class encapsulates information for a message 
*/
public abstract class BaseMessage {
    
}

Maybe I should find another job.

# ? Oct 18, 2013 08:50

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cavern of COBOL > Coding Horrors: You can gather all your technical debt into one easy framework!

«‹›1503 »